From 733118a463f7df86944812c0bbd749350ab71d94 Mon Sep 17 00:00:00 2001 From: Jake McGinty Date: Sun, 25 Apr 2021 01:59:48 +0900 Subject: [PATCH] README: add security recommendations for services --- README.md | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 92229ed..3e208b0 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ This has not received an independent security audit, and should be considered ex ### Server Creation -Every `innernet` network needs a coordination server to manage peers and provide endpoint information so peers can contact each other. Create a new one with +Every `innernet` network needs a coordination server to manage peers and provide endpoint information so peers can directly connect to each other. Create a new one with ```sh sudo innernet-server new @@ -144,6 +144,29 @@ or unset the port and use a randomized port with sudo innernet set-listen-port -u ``` +## Security recommendations + +If you're running a service on innernet, there are some important security considerations. + +### Enable strict Reverse Path Filtering ([RFC 3704](https://tools.ietf.org/html/rfc3704)) + +Strict RPF prevents packets from *other* interfaces from having internal source IP addresses. This is *not* the default on Linux, even though it is the right choice for 99.99% of situations. You can enable it by adding the following to a `/etc/sysctl.d/60-network-security.conf`: + +``` +net.ipv4.conf.all.rp_filter=1 +net.ipv4.conf.default.rp_filter=1 +``` + +### Bind to the WireGuard device + +If possible, to *ensure* that packets are only ever transmitted over the WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering, though, this is less of a concern. + +### IP addresses alone often aren't enough authentication + +Even following all the above precautions, rogue applications on a peer's machines could be able to make requests on their behalf unless you add extra layers of authentication to mitigate this CSRF-type vector. + +It's recommended that you carefully consider this possibility before deciding that the source IP is sufficient for your authentication needs on a service. + ## Installation innernet has only officially been tested on Linux and MacOS, but we hope to support as many platforms as is feasible!